Home » TP-Link Manuals » Hubs & Switches » TP-Link T2600G-28MPS » Manual Viewer

TP-Link T2600G-28MPS T2600G-28MPSUN V1 User Guide - Page 293

ND Detection Process

View all TP-Link T2600G-28MPS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 293 highlights

gateway or the other hosts who have received these NS/NA/RS packets will update their ND entry with the wrong address information. AS a result, all packets intended for the victim will be sent to the attacking host rather than the victim host. • The attackers send forged RA packets with the IPv6 address of a victim gateway. All the hosts attached to the victim gateway may receive incorrect IPv6 configuration parameters and maintain false ND entries. A forged ND packet has the following two features: • The source MAC address in the Ethernet frame header is inconsistent with that carried in the source link layer address option of the ND packet. • The mapping between the source IPv6 address and the source MAC address in the Ethernet frame header is invalid.  ND Detection Process Generally, the ND detection feature uses the entries in the IPv6-MAC binding table to verify the packets received on the untrusted ports, thus filtering the forged ND packets and keeping out the attacks. 1. ND packets received on the ND-trusted port will not be checked. 2. RS/NS packets with their source IPv6 address unspecified will not be checked. 3. RA/RR packets received on the ND-untrusted port will be discarded directly; the other ND packets received on the ND-untrusted port will be checked. a) Source MAC consistence check. If the RS/NS packet's source MAC address in the Ethernet frame header is different from that carried in the source layer address option, the RS/NS packet will be discarded. b) IPv6-MAC binding check. Look up the IPv6-MAC binding table to compare the IPv6 address, MAC address, VLAN ID and receiving port between the entry and the ND packet. If a match is found, the ND packet is considered legal and forwarded; if no match is found, the ND packet is considered illegal and discarded directly. 282

Section	Page
Package Contents	12
Chapter 1 About this Guide	13
1.1 Intended Readers	13
1.2 Conventions	13
1.3 Overview of This Guide	14
Chapter 2 Introduction	19
2.1 Overview of the Switch	19
2.2 Appearance Description	19
2.2.1 Front Panel	19
2.2.2 Rear Panel	24
Chapter 3 Login to the Switch	25
3.1 Login	25
3.2 Configuration	26
Chapter 4 System	27
4.1 System Info	27
4.1.1 System Summary	27
4.1.2 Device Description	28
4.1.3 System Time	29
4.1.4 Daylight Saving Time	30
4.1.5 Serial Port Setting	31
4.2 User Management	32
4.2.1 User Table	32
4.2.2 User Config	32
4.3 System Tools	34
4.3.1 Boot Config	34
4.3.2 Config Restore	35
4.3.3 Config Backup	35
4.3.4 Firmware Upgrade	36
4.3.5 System Reboot	37
4.3.6 Reboot Schedule	37
4.3.7 System Reset	38
4.4 Access Security	38
4.4.1 Access Control	38
4.4.2 HTTP Config	40
4.4.3 HTTPS Config	40
4.4.4 SSH Config	43
4.4.5 Telnet Config	50
4.5 SDM Template	50
4.5.1 SDM Template Config	50
Chapter 5 Switching	52
5.1 Port	52
5.1.1 Port Config	52
5.1.2 Port Mirror	53
5.1.3 Port Security	55
5.1.4 Port Isolation	57
5.1.5 Loopback Detection	58
5.2 LAG	60
5.2.1 LAG Table	61
5.2.2 Static LAG	62
5.2.3 LACP Config	63
5.3 Traffic Monitor	65
5.3.1 Traffic Summary	65
5.3.2 Traffic Statistics	66
5.4 MAC Address	67
5.4.1 Address Table	69
5.4.2 Static Address	70
5.4.3 Dynamic Address	71
5.4.4 Filtering Address	73
5.4.5 MAC Notification	74
5.4.6 MAC VLAN Security	75
5.5 L2PT	76
5.5.1 L2PT Config	77
Chapter 6 VLAN	79
6.1 802.1Q VLAN	80
6.1.1 VLAN Config	81
6.1.2 Port Config	82
6.2 Application Example for 802.1Q VLAN	84
6.3 MAC VLAN	85
6.3.1 MAC VLAN	86
6.3.2 Port Enable	87
6.4 Application Example for MAC VLAN	87
6.5 Protocol VLAN	89
6.5.1 Protocol Group Table	90
6.5.2 Protocol Group	91
6.5.3 Protocol Template	91
6.6 Application Example for Protocol VLAN	93
6.7 VLAN VPN	95
6.7.1 VPN Config	96
6.7.2 Port Enable	97
6.7.3 VLAN Mapping	97
6.8 GVRP	100
6.9 Private VLAN	103
6.9.1 PVLAN Config	105
6.9.2 Port Config	106
6.10 Application Example for Private VLAN	107
Chapter 7 Spanning Tree	110
7.1 STP Config	115
7.1.1 STP Config	115
7.1.2 STP Summary	117
7.2 Port Config	118
7.3 MSTP Instance	119
7.3.1 Region Config	120
7.3.2 Instance Config	120
7.3.3 Instance Port Config	121
7.4 STP Security	123
7.4.1 Port Protect	123
7.4.2 TC Protect	126
7.5 Application Example for STP Function	126
Chapter 8 Ethernet OAM	131
8.1 Basic Config	134
8.1.1 Basic Config	135
8.1.2 Discovery Info	136
8.2 Link Monitoring	138
8.3 RFI	139
8.4 Remote Loopback	140
8.5 Statistics	141
8.5.1 Statistics	141
8.5.2 Event Log	142
8.6 DLDP	143
8.7 Application Example for DLDP	147
Chapter 9 Multicast	150
9.1 IGMP Snooping	154
9.1.1 Snooping Config	156
9.1.2 Port Config	158
9.1.3 VLAN Config	159
9.1.4 Multicast VLAN	160
9.1.5 Querier Config	164
9.1.6 Profile Config	165
9.1.7 Profile Binding	167
9.1.8 Packet Statistics	168
9.1.9 IGMP Authentication	170
9.2 MLD Snooping	171
9.2.1 Snooping Config	172
9.2.2 Port Config	175
9.2.3 VLAN Config	176
9.2.4 Multicast VLAN	177
9.2.5 Querier Config	179
9.2.6 Profile Config	180
9.2.7 Profile Binding	182
9.2.8 Packet Statistics	183
9.3 Multicast Table	185
9.3.1 IPv4 Multicast Table	185
9.3.2 Static IPv4 Multicast Table	185
9.3.3 IPv6 Multicast Table	187
9.3.4 Static IPv6 Multicast Table	187
Chapter 10 Routing	190
10.1 Interface	190
10.2 Routing Table	202
10.2.1 IPv4 Routing Table	202
10.2.2 IPv6 Routing Table	202
10.3 Static Routing	203
10.3.1 IPv4 Static Routing Config	203
10.3.2 IPv6 Static Routing Config	204
10.4 DHCP Server	205
10.4.1 DHCP Server	211
10.4.2 Pool Setting	212
10.4.3 Manual Binding	213
10.4.4 Binding Table	214
10.4.5 Packet Statistics	215
10.4.6 Application Example for DHCP Server and Relay	216
10.5 DHCP Relay	218
10.5.1 Global Config	220
10.5.2 DHCP Server	221
10.6 ARP	222
10.6.1 ARP Table	222
10.6.2 Static ARP	222
Chapter 11 QoS	224
11.1 DiffServ	227
11.1.1 Port Priority	227
11.1.2 Schedule Mode	228
11.1.3 802.1P Priority	229
11.1.4 DSCP Priority	230
11.2 Bandwidth Control	232
11.2.1 Rate Limit	232
11.2.2 Storm Control	233
11.3 Voice VLAN	234
11.3.1 Global Config	236
11.3.2 Port Config	237
11.3.3 OUI Config	238
Chapter 12 PoE	240
12.1 PoE Config	240
12.1.1 PoE Config	241
12.1.2 PoE Profile	242
12.2 Time-Range	243
12.2.1 Time-Range Summary	244
12.2.2 Time-Range Create	244
12.2.3 Holiday Config	246
Chapter 13 ACL	248
13.1 Time-Range	248
13.1.1 Time-Range Summary	248
13.1.2 Time-Range Create	249
13.1.3 Holiday Config	250
13.2 ACL Config	250
13.2.1 ACL Summary	250
13.2.2 ACL Create	251
13.2.3 MAC ACL	251
13.2.4 Standard-IP ACL	253
13.2.5 Extend-IP ACL	254
13.2.6 Combined ACL	255
13.2.7 IPv6 ACL	256
13.3 Policy Config	258
13.3.1 Policy Summary	258
13.3.2 Policy Create	259
13.3.3 Action Create	259
13.4 ACL Binding	260
13.4.1 Binding Table	261
13.4.2 Port Binding	262
13.4.3 VLAN Binding	263
13.5 Policy Binding	263
13.5.1 Binding Table	264
13.5.2 Port Binding	265
13.5.3 VLAN Binding	266
13.6 Application Example for ACL	266
Chapter 14 Network Security	269
14.1 IP-MAC Binding	269
14.1.1 Binding Table	269
14.1.2 Manual Binding	270
14.1.3 ARP Scanning	272
14.2 IPv6-MAC Binding	273
14.2.1 Binding Table	274
14.2.2 Manual Binding	275
14.2.3 ND Snooping	277
14.3 DHCP Snooping	279
14.3.1 Global Config	282
14.3.2 Port Config	283
14.3.3 Option 82 Config	284
14.4 DHCPv6 Snooping	285
14.5 ARP Inspection	286
14.5.1 ARP Detect	289
14.5.2 ARP Defend	290
14.5.3 ARP Statistics	291
14.6 ND Detection	292
14.7 IP Source Guard	294
14.8 DoS Defend	296
14.8.1 DoS Defend	297
14.9 802.1X	297
14.9.1 Global Config	301
14.9.2 Port Config	302
14.10 PPPoE	304
14.11 AAA	307
14.11.1 Global Config	308
14.11.2 Privilege Elevation	308
14.11.3 RADIUS Server Config	308
14.11.4 TACACS+ Server Config	309
14.11.5 Authentication Server Group Config	310
14.11.6 Authentication Method List Config	312
14.11.7 Application Authentication List Config	313
14.11.8 802.1X Authentication Server Config	314
14.11.9 Default Settings	314
Chapter 15 SNMP	316
15.1 SNMP Config	318
15.1.1 Global Config	318
15.1.2 SNMP View	319
15.1.3 SNMP Group	320
15.1.4 SNMP User	321
15.1.5 SNMP Community	323
15.2 Notification	325
15.3 RMON	327
15.3.1 Statistics	328
15.3.2 History	329
15.3.3 Event	330
15.3.4 Alarm Config	331
Chapter 16 LLDP	333
16.1 Basic Config	337
16.1.1 Global Config	337
16.1.2 Port Config	338
16.2 Device Info	339
16.2.1 Local Info	339
16.2.2 Neighbor Info	340
16.3 Device Statistics	341
16.4 LLDP-MED	342
16.4.1 Global Config	343
16.4.2 Port Config	343
16.4.3 Local Info	346
16.4.4 Neighbor Info	347
Chapter 17 Maintenance	348
17.1 System Monitor	348
17.1.1 CPU Monitor	348
17.1.2 Memory Monitor	349
17.2 sFlow	350
17.2.1 sFlow Collector	351
17.2.2 sFlow Sampler	352
17.2.3 Default Settings	353
17.3 Log	353
17.3.1 Log Table	353
17.3.2 Local Log	354
17.3.3 Remote Log	355
17.3.4 Backup Log	356
17.4 Device Diagnostics	357
17.4.1 Cable Test	357
17.5 Network Diagnostics	358
17.5.1 Ping	358
17.5.2 Tracert	359
Appendix A. Password Recovery	360
Appendix B. Specifications	361

Match case Limit results 1 per page

gateway or the other hosts who have received these NS/NA/RS packets will update their ND

entry with the wrong address information. AS a result, all packets intended for the victim will be

sent to the attacking host rather than the victim host.

•

The attackers send forged RA packets with the IPv6 address of a victim gateway. All the hosts

attached to the victim gateway may receive incorrect IPv6 configuration parameters and

maintain false ND entries.

A forged ND packet has the following two features:

•

The source MAC address in the Ethernet frame header is inconsistent with that carried in the

source link layer address option of the ND packet.

•

The mapping between the source IPv6 address and the source MAC address in the Ethernet

frame header is invalid.



ND Detection Process

Generally, the ND detection feature uses the entries in the IPv6-MAC binding table to verify the

packets received on the untrusted ports, thus filtering the forged ND packets and keeping out the

attacks.

1. ND packets received on the ND-trusted port will not be checked.

2. RS/NS packets with their source IPv6 address unspecified will not be checked.

3. RA/RR packets received on the ND-untrusted port will be discarded directly; the other ND

packets received on the ND-untrusted port will be checked.

a) Source MAC consistence check. If the RS/NS packet’s source MAC address in the Ethernet

frame header is different from that carried in the source layer address option, the RS/NS

packet will be discarded.

b) IPv6-MAC binding check. Look up the IPv6-MAC binding table to compare the IPv6 address,

MAC address, VLAN ID and receiving port between the entry and the ND packet. If a match

is found, the ND packet is considered legal and forwarded; if no match is found, the ND

packet is considered illegal and discarded directly.

282